CVE-2021-24129
Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.
Una entrada no comprobada y una falta de codificación de salida en el plugin Themify Portfolio Post de WordPress, versiones anteriores a 1.1.6, conlleva a vulnerabilidades de tipo Cross-Site Scripting (XSS) Almacenado que permiten a usuarios pocos privilegiados (Colaborador+) inyectar código JavaScript o HTML arbitrario en publicaciones donde Themify Custom Panel está embebido, lo que podría conllevar a una escalada de privilegios
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-04 CVE Published
- 2021-01-14 CVE Reserved
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/c8537e5f-1948-418b-9d29-3cf50cd8f9a6 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Themify Search vendor "Themify" | Portfolio Post Search vendor "Themify" for product "Portfolio Post" | < 1.1.6 Search vendor "Themify" for product "Portfolio Post" and version " < 1.1.6" | wordpress |
Affected
| ||||||